I ran npm audit and DepGra on the same project — here's what each one caught

I wanted to see how different tools handle the same dependency tree, so I ran both npm audit and my open-source tool DepGra against a real Next.js project with 1,312 packages. Here's what actually happened. The project The test subject is a production Next.js app with a 19,000-line package-lock.json . 1,312 packages, 3,792 dependency relationships. A pretty typical mid-size project. npm audit results npm audit npm audit reported 10 vulnerabilities (3 moderate, 7 high) across 8 packages: serialize-javascript@6.0.2 — RCE via RegExp.flags (high) next@15.5.9 — 2 advisories (high) minimatch@3.1.2 and minimatch@9.0.5 — 3 ReDoS advisories each (high) flatted@3.3.3 — unbounded recursion DoS (high) rollup@4.54.0 — arbitrary file write via path traversal (high) ai@4.3.19 — filetype whitelist bypass (moderate) jsondiffpatch@0.6.0 — XSS via HtmlFormatter (moderate) ajv@6.12.6 and ajv@8.17.1 — ReDoS with $data option (moderate) npm audit also tells you which vulnerabilities have fixes available and

I ran npm audit and DepGra on the same project — here's what each one caught

Related Articles

Threads & Handlers in Android: Running Background Tasks Safely with AsyncTask

Mass-Produced Software Components

How Apps Like Instagram Handle Millions of Users

Live-service games are a mess

CRA SBOM Requirements: What’s Mandated, What’s Optional, and What’s Still Unclear

Related Articles

News
Threads & Handlers in Android: Running Background Tasks Safely with AsyncTask
Medium Programming • 8h ago

News
Mass-Produced Software Components
Lobsters • 8h ago

News
How Apps Like Instagram Handle Millions of Users
Medium Programming • 9h ago

News
Live-service games are a mess
The Verge • 9h ago

News
CRA SBOM Requirements: What’s Mandated, What’s Optional, and What’s Still Unclear
Medium Programming • 9h ago